Security Flaw or Just Bad Design? Bypassing Server-Side Validation in GraphQL
Hey everyone, I need your expert opinion on a finding I recently submitted.
The Case:
I found a GraphQL mutation used to create a shipping address. The web UI has a "Validation" step before "Creation." However, the Server-Side Mutation for creating the address (CreateShippingAddress) doesn't actually verify if the address is valid or if the validation step was even called.
The Exploit:
Using Burp Suite, I can send the creation request directly with completely fake data (e.g., City: "123", Zip: "ABC", mismatched State/City). The server accepts it, saves it to my profile, and it shows up as a "Verified" address in the UI.
The Debate:
Some people say this is just a "Functional Bug" because it doesn't leak data. But I argued it's a "Business Logic Vulnerability" because:
It bypasses intended security/logic controls (CWE-602).
It allows for massive Database Pollution and Resource Exhaustion (Spamming 10k addresses via Intruder).
It causes direct Financial Loss to the company (Shipping packages to non-existent addresses, RTO fees).
What do you think?
Have you seen companies pay for this as a Medium bounty?
Or is it likely to be closed as "Informative / Won't Fix"?
Does the fact that it's on a Production e-commerce site change your evaluation?
I'd love to hear your experiences with similar "Validation Bypass" reports in GraphQL.